Added error-speedlimit type and further explained how each setting works

For feature #1030 Now speedlimit errors themselves can be tracked.
Geeklog-Core · Apr 29, 2022 · 5d7b373 · 5d7b373
1 parent 1982f2e
commit 5d7b373
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 13 deletions.
diff --git a/public_html/lib-common.php b/public_html/lib-common.php
@@ -6398,7 +6398,8 @@ function COM_makeList($listOfItems, $className = '')
 /**
  * Check if speed limit applies
  *
- * @param    string $type        type of speed limit, e.g. 'submit', 'comment'
+ * @param    string $type        type of speed limit or error limit 
+ *								 e.g. 'submit', 'comment', 'error-404', 'error-spam'
  * @param    int    $max         max number of allowed tries within speed limit
  * @param    string $property    IP address or other identifiable property
  * @param    bool   $isSpeeding  this variable is set to true if the number of speeding exceeds $max
@@ -6407,7 +6408,7 @@ function COM_makeList($listOfItems, $className = '')
  */
 function COM_checkSpeedlimit($type = 'submit', $max = 1, $property = '', &$isSpeeding = false)
 {
-    global $_TABLES;
+    global $_TABLES, $_CONF;
 
     $last = 0;
     $isSpeeding = false;
@@ -6429,10 +6430,10 @@ function COM_checkSpeedlimit($type = 'submit', $max = 1, $property = '', &$isSpe
         $property = \Geeklog\IP::getIPAddress();
     }
 
-    $type = DB_escapeString($type);
-    $property = DB_escapeString($property);
+    $esc_type = DB_escapeString($type);
+    $esc_property = DB_escapeString($property);
 
-    $res = DB_query("SELECT date FROM {$_TABLES['speedlimit']} WHERE (type = '$type') AND (ipaddress = '$property') ORDER BY date");
+    $res = DB_query("SELECT date FROM {$_TABLES['speedlimit']} WHERE (type = '$esc_type') AND (ipaddress = '$esc_property') ORDER BY date");
 
     // If the number of allowed tries has not been reached,
     // return 0 (didn't hit limit)
@@ -6449,12 +6450,23 @@ function COM_checkSpeedlimit($type = 'submit', $max = 1, $property = '', &$isSpe
             $last = 1;
         }
     }
-
+	
     // Since Geeklog 2.2.2
     // Set the $isSpeeding variable and call PLG_onSpeeding() to let the plugins and custom function (CUSTOM_onSpeeding)
     // know that the user is speeding
     $isSpeeding = true;
     PLG_onSpeeding($type, $property, $last);
+
+	// Check if to many speedlimits being hit all at once
+    if ($last > 0 && $type != 'error-speedlimit') {
+		// Can't check itself for speedlimit ('error-speedlimit')
+		// Remember multiple speedlimits could be triggered on one page request. For example a comment posting has a speedlimit and also spam has an error limit. So if a comment was posted to soon after the last posting that was also considered spam, this one comment posting would generate 2 of these error types
+		COM_clearSpeedlimit($_CONF['speedlimit_window_error-speedlimit'], 'error-speedlimit');
+		COM_checkSpeedlimit('error-speedlimit', $_CONF['speedlimit_max_error-speedlimit'], $property, $isSpeeding);
+		if (!$isSpeeding) {
+			COM_updateSpeedlimit('error-speedlimit', $property);
+		}        	
+	}	
 
     return $last;
 }

diff --git a/system/lib-plugins.php b/system/lib-plugins.php
@@ -75,6 +75,7 @@
 define('RECAPTCHA_DEFAULT_SCORE_THRESHOLD', 0.5);
 
 // Constants for the max number of allowed tries within speed limit (since Geeklog 2.2.2)
+// Types in Geeklog core include: comment, likes, mail, password, pingback, submit, trackback
 const SPEED_LIMIT_MAX_COMMENT = 1;
 const SPEED_LIMIT_MAX_LIKES = 1;
 const SPEED_LIMIT_MAX_MAIL = 1;
@@ -83,15 +84,37 @@
 const SPEED_LIMIT_MAX_SUBMIT = 1;
 const SPEED_LIMIT_MAX_TRACKBACK = 1;
 
-// Error Limits (since Geeklog 2.2.2)
+/*
+Error Limits (since Geeklog 2.2.2)
+Types in Geeklog core include: 
+	error-403
+		For Illegal access to admin screen.
+		This only gets triggered after 'login_attempts' config option has been reached.
+		
+	error-404
+		All 404 errors included.
+		Remember to consider search engine bots as they may generate 404 errors. This should happen at a slow pace though.
+		
+	error-spam
+		All types of SPAM included.
+		All speedlimits should be the same so this error limit can work correctly.
+
+	error-speedlimit
+		All speedlimits reached included.
+		All speedlimits should be the same so this error limit can work correctly.
+		Need to consider not only speedlimits but also 'error-spam'.
+		
+*/
 // Config Options for the max number of allowed tries within speed limit (from 1 to ...)
-$_CONF['speedlimit_max_error-403'] = 3; // Illegal access to admin screen
-$_CONF['speedlimit_max_error-404'] = 10;
-$_CONF['speedlimit_max_error-spam'] = 3; // All types of SPAM included
+$_CONF['speedlimit_max_error-403'] = 3; 
+$_CONF['speedlimit_max_error-404'] = 20;
+$_CONF['speedlimit_max_error-spam'] = 5;
+$_CONF['speedlimit_max_error-speedlimit'] = 10;
 // Config Options for the time window used in COM_clearSpeedlimit (in seconds)
-$_CONF['speedlimit_window_error-403'] = 60;
-$_CONF['speedlimit_window_error-404'] = 60;
-$_CONF['speedlimit_window_error-spam'] = 60;
+$_CONF['speedlimit_window_error-403'] = 60; 
+$_CONF['speedlimit_window_error-404'] = 120;
+$_CONF['speedlimit_window_error-spam'] = 270; // Based on anonymous users and all speedlimits (comment, likes, etc.) enabled and set to 45 seconds. 
+$_CONF['speedlimit_window_error-speedlimit'] = 540; // Based on 'error-spam' settings
 
 // buffer for function names for the center block API
 $PLG_bufferCenterAPI = [];